Cyborg

Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.4.121

We have two ports: 22 which is running ssh and 80 which is running http

Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a file called nmap
nmap -sV -sC -p 22,80 -oN nmap 10.10.4.121

Enumeration
Lets visit the webserver

Its a default Apache2 page, lets run gobuster to find hidden directories and files.

There is an admin directory, lets go check it out

Its a website with information about a person, lets explore the website and see what we can find. When you go to the Admins tab, you find this information

Looks like there is a backup called music_archive
. We also get another hit on gobuster

/etc/
directory , this might be config files that Alex was talking about, lets go visit it.

Clicking on the folder we see some interesting files

We have a squid.conf
file and a passwd file. Lets download these to our machine.
wget http://10.10.4.121/etc/squid/<file-name>

Lets check these files out

Looks like a hash, lets crack this using john the ripper

We found a password: squidward
. Lets look at the other file

Doesn't look like anything important. One thing we did not find is the achieve file Alex was talking about, so I went to go look for it and found it here.

Lets download this.

The archive is a tar
file, lets click ok after selecting save file. Now lets check its contents.
tar -xvf archive.tar

We found these files, I went through many of them and many did not make sense except this one.

Looking at this information I went to google and searched on this topic and found this page, which I saw that there were commands we could use, so I went to look for the file with which we can use borg commands, which one of them was GitHub
.

Next I went here as it said that it had recent releases.

I downloaded the Linux file.


Lets list the files , I tried using it when I got this message
borg list home/field/dev/final_archive

And so I downloaded the tool, now lets list the files
borg list home/field/dev/final_archive

Earlier in our enumeration we found a password: squidward
, lets use that.
borg list home/field/dev/final_archive

And it worked, we have an archive file called music_archive
, now lets extract this file too.
borg extract home/field/dev/final_archive/::music_archive
Its asks for a password, and I just used the before and it worked.

We extracted a folder called alex
. Navigating through it, I found this file

It has nothing interesting, I also found this file

It has a username and password. Lets try to login with these credentials through ssh.

We are logged in. We can also cat the user.txt
file

Privilege Escalation
Lets run sudo -l
to see what we can run as root.

Looks like we can run this file, lets see what it does.

Looking through it, the getopts is something that is interesting, its a built-in function to parse arguments and options to a bash script according to google. This is the article that after googling. So for a summary, passing the bash script -c
arguments , getopts
will take the command and then parse it to the bash scripts and then executes it. Lets run a bash command.
sudo /etc/mp3backups/backup.sh -c bash

We are now root, but none of the commands worked.

What we have to do is to add a SUID bit on bash then exiting the shell and using the bash binary to get root on the box and execute commands.
chmod 4577 /bin/bash
exit
bash -p
cd /root
cat root.txt
Using these commands we can read the root flag.

Last updated
Was this helpful?